What is an Adaptive Security Appliance (ASA)?

The Cisco ASA provides advanced stateful firewall and VPN concentrator functionality in one device as well as integrated services with add-on modules. The ASA includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), clustering (combining multiple firewalls into a single firewall), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPsec VPN, SSL VPN, and clientless SSL VPN support, and many more features. ASAs can be installed on virtual machines or supported hardware.

What is an ASA Model?

An ASA model is a copy of the running configuration file of an ASA device that you have onboarded to Security Cloud Control. You can use an ASA model to analyze the configuration of an ASA device without onboarding the device itself.

When is a device Synced?

When the configuration on Security Cloud Control and the configuration stored locally on the device are the same.

When is a device Not Synced?

When the configuration stored in Security Cloud Control was changed and it is now different that the configuration stored locally on the device.

When is a device in a Conflict Detected state?

When the configuration on the device was changed outside of Security Cloud Control (out-of-band), and is now different than the configuration stored on Security Cloud Control.

What is an out-of-band change?

When a change is made to the device outside of Security Cloud Control. The change is made directly on the device using CLI command or by using the on-device manager such as ASDM or FDM. An out-of-band change causes Security Cloud Control to report a "Conflict Detected" state for the device.

What does it mean to deploy a change to a device?

After you onboard a device to Security Cloud Control, Security Cloud Control maintains a copy of its configuration. When you make a change on Security Cloud Control, Security Cloud Control makes a change to its copy of the device's configuration. When you "deploy" that change back to a device, Security Cloud Control copies the changes you made to the device's copy of its configuration. See these topics:

• Preview and Deploy Configuration Changes for All Devices

What ASA commands are currently supported?

All commands. Click the Command Line Interface link under Device Actions to use the ASA CLI.

Are there any scale limitations for device management?

Security Cloud Control's cloud architecture allows it to scale to thousands of devices.

Does Security Cloud Control manage Cisco Integrated Services Routers and Aggregation Services Routers?

Security Cloud Control allows you to create a model device for ISRs and ASRs and import its configuration. You can then create templates based on the imported configurations and export the configuration as a standardized configuration that can be deployed to new or existing ISR and ASR devices for consistent security.

Can Security Cloud Control manage SMA?

No, Security Cloud Control does not currently manage SMA.

Is Security Cloud Control Secure?

Security Cloud Control offers end-to-end security for customer data through the following features:

• Initial Login to Your New Security Cloud Control Tenant

• Authentication calls for APIs and database operations

• Data isolation in flight and at rest

• Separation of roles

Security Cloud Control requires multi-factor authentication for users to connect to their cloud portal. Multi-factor authentication is a vital function needed to protect the identity of customers.

All data, in flight and at rest, is encrypted. Communication from devices on customer premises and Security Cloud Control is encrypted with SSL, and all customer-tenant data volumes are encrypted.

Security Cloud Control's multi-tenant architecture isolates tenant data and encrypts traffic between databases and application servers. When users authenticate to gain access to Security Cloud Control, they receive a token. This token is used to fetch a key from a key-management service, and the key is used to encrypt traffic to the database.

Security Cloud Control provides value to customers quickly while making sure customer credentials are secured. This is achieved by deploying a "Secure Data Connector" in the cloud or a customer's own network (in roadmap) that controls all inbound and outbound traffic to make sure the credential data doesn't leave the customer premises.

I received the error "Could not validate your OTP" when logging into Security Cloud Control for the first time

Check that your desktop or mobile device clock is synchronized with a world time server. Clocks being out of sync by less or more than a minute can cause incorrect OTPs to be generated.

Is my device connected directly to Security Cloud Control cloud platform?

Yes. The secured connection is performed using the Security Cloud Control SDC which is used as a proxy between the device and Security Cloud Control platform. Security Cloud Control architecture, designed with security first in mind, enables having complete separation between data traversing back and forth to the device.

How can I connect a device which does not have a public IP address?

You can leverage Security Cloud Control Secure Device Connector (SDC) which can be deployed within your network and doesn't need any outside port to be open. Once the SDC is deployed you can onboard devices with internal (non-internet routable) IP addresses.

See more information here: Secure Device Connector (SDC)

Does the SDC require any additional cost or license?

No.

How can I check the tunnel status? State options

Security Cloud Control performs the tunnel connectivity checks automatically every hour, however ad-hoc VPN tunnel connectivity checks can be performed by choosing a tunnel and requesting to check connectivity. Results may take several seconds to process.

Can I search a tunnel based on the device name as well as its IP address of one of its peers?

Yes. Search and pivot to a specific VPN tunnel details by using available filters and search capabilities on both name and the peers IP addresses.

While performing complete deploy of device configuration from Security Cloud Control to managed device, I get a warning "Cannot deploy changes to device". What can I do to solve that?

If an error occurrs when you deploy a full configuration (changes performed beyond Security Cloud Control supported commands) to the device, click "Check for changes" to pull the latest available configuration from device. This may solve the problem and you will be able to continue making changes on Security Cloud Control and deploy them. In case the issue persist, please contact Cisco TAC from the Contact Support page.

While resolving out-of-band issue (changes performed outside of Security Cloud Control; directly to a device), comparing the configuration present in Security Cloud Control that of the device, Security Cloud Control presents additional metadata that were not added or modified by me. Why?

As Security Cloud Control expands its functionality, additional information will be collected from the device's configuration to enrich and maintain all required data for better policy and device management analysis. These are not changes that occurred on managed device but already existing information. Resolving the conflict detected state can be easily solved by checking for changes from the device and reviewing the changes occurred.

Why is Security Cloud Control rejecting my certificate?

See Resolving New Certificates

How can I identify a case when two or more access lists (within the same access group) are shadowing each other?

Security Cloud Control Network Policy Management (NPM) is able to identify and alert the user if within a rule set, a rule higher in order, is shadowing a different rule. User can either navigate between all network policies or filter to identify all shadow issues.

Note	Security Cloud Control supports only fully shadowed rules.

The Secure Device Connector changed IP address, but this was not reflected within Security Cloud Control. What can I do to reflect the change?

 Stop Docker deamon>#service docker stop
Change IP address
Start Docker deamon >#service docker start
Restart container on the SDC virtual appliance >bash-4.2$ ./cdo/toolkit/toolkit.sh restartSDC <tenant-name>

What happens if the IP address used by Security Cloud Control to manage my devices ( FTD or ASA) changes?

If the IP address of the device changes for any reason, whether it is a change in the static IP address or a change in the IP address due to DHCP, you can change the IP address that Security Cloud Control uses to connect to the device (see Changing a Device's IP Address in Security Cloud Control) and then reconnect the device (see Bulk Reconnect Devices to Security Cloud Control). When reconnecting the device you will be asked to enter the new IP address of the device as well as re-enter the authentication credentials.

What networking is required to connect my ASA to Security Cloud Control?

• ASDM image present and enabled for ASA.

• Public interface access to 52.25.109.29, 52.34.234.2, 52.36.70.147

• ASA's HTTPS port must be set to 443 or to a value of 1024 or higher. For example, it cannot be set to port 636.

• If the ASA under management is also configured to accept AnyConnect VPN Client connections, the ASA HTTPS port must be changed to a value of 1024 or higher.